Skip to content

Favourite Windows Software #6 – ADManager Plus.

August 9, 2012

Lets set the scene…

You have a large (several thousand user) Active Directory infrastructure.  Your AD is a mess.  You have one/some/all of the following issues:

  • User accounts still around for staff who have left.
  • Computer accounts still around for machines no longer on the network.
  • Too many groups, groups that are nested and groups that are obsolete.
  • An AD structure that doesn’t match your organisational requirements.
  • You need to make bulk changes to users/groups/computers based on membership of groups, location in AD structure or other criteria.
  • You need to provide reports on AD for this/that and the other to various people.
  • You need to automate the aforementioned reports.

Now I know PowerShell is getting better and better for AD management, but to be honest I am a GUI kind of guy and I would much prefer to be sat in front of a GUI console.  Also you can’t do everything in PowerShell.

What you need, therefore, is ManageEngine’s AD Manager Plus, take a look here.

See the screen shot above..see all of those reports?  Now notice that these are reports for just users; on the left hand side of the screen are categories for password, group etc etc.  This software has a lot of reports!

I used this software a couple of years ago to hack a messy AD structure to pieces and give it a jolly good clean up.  It did a very good job indeed.  It allowed me to clean up users, groups, computers and AD structure in next to no time.

Here is a good trick…search for all the accounts that haven’t logged in for the last six months (ADManager will query all of your DC security logs), add to an email distribution list (so we can send them an “your account is due to close” email) and then move them all into a container of your choice.   Later on disable the accounts.

No problem…

ADManager works by performing a sync of your AD into a local database which you then manipulate and then your changes are synced back to AD.  Driving the product are complicated LDAP queries (the software was developed before PowerShell and even now I guess they might not be able to re-write the product to use only PowerShell).

A word of warning though, when I last used the product it could be “a bit flaky” in terms of the application running on your server.  I would recommend running it on it’s own server and not sharing, for example, a utility server used for other tasks (that way you can reboot when needed).  The server runs fine on a virtual server so this is a good idea to maintain stability in your environment.

And once you have tidied up your AD structure what should you do?

First of all ensure you have correct process and procedure in place for the life-cycle of users, computers and groups.

You should also look at linking your AD into your HR database using an identity management system (such as Microsoft Forefront Identity Manager). This option is not for the faint hearted though be warned!  If you do go this route (with Microsoft FIM) I would recommend employing the UK based professionals Oxford Computer Group found here.

Hope you found this post useful, if you have any good AD war stories let me know below…

Advertisements

From → Microsoft

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: